1. Field of the Invention
This invention relates generally to computer network security and more particularly to a system and method for parsing, summarizing and reporting log data.
2. Description of the Related Art
Security devices such as network firewalls and routers act as data checkpoints that examine and block messages that do not meet specified device policies and security criteria. Network firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet. Typically, all messages entering or leaving a private network, such as an intranet network, pass through a network firewall. The network firewall protects servers, workstations, personal computers, databases, storage devices, and other intranet-connected devices from virulent data, SPAM, and attempts to breech network security. Security schemes using network firewalls generally work well when network traffic is light to moderate. For example, attacks can usually be stopped using intrusion detection software. Later, security staff can manually review firewall log files to assure that proper remedies have been applied, and to gauge the effectiveness of the remedies.
However, as network performance increases and security attacks proliferate, a fundamental problem with network firewalls becomes manifest. A firewall may produce over 10 million various messages (i.e., log data) per day. If this data were printed as quickly as it was created, it would consume a ream of paper in less than 5 minutes. At high network speeds where multiple attacks can occur over a short period of time, existing firewall technology may generate such a large volume of raw log data that human review of the data after a security attack is nearly impossible. The amount of log data generated by security devices and vendors' consoles can quickly overwhelm a security staff, which may cause them to actually disable alarms that generate high volumes of messages. In many cases, the data is simply ignored or lost.
It would be desirable to provide a system and method to capture security log data, analyze it, and report attack information quickly, so that proper security remedies may be applied in a timely manner.